RE: Worms and CScript/WScript

From: Michael Wright (mwrightat_private)
Date: Tue May 21 2002 - 16:25:47 PDT

Next message: Nick FitzGerald: "RE: Worms and CScript/WScript"

Previous message: verbalat_private: "RE: Worms and CScript/WScript"
In reply to: Blake Frantz: "Worms and CScript/WScript"
Next in thread: Nick FitzGerald: "RE: Worms and CScript/WScript"
Next in thread: Ken Pfeil: "RE: Strange scan on 1433"
Reply: Nick FitzGerald: "RE: Worms and CScript/WScript"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The NSA guide, titled: "E-mail Security in the Wake of Recent Malicious Code
Incidents" actually recommends disabling Windows Scripting Host by removing
both cscript.exe and wscript.exe.

I have added that to my logon script so that every time a user logs onto one
of my networks, WSH is disabled.  Add that to a managed anti-virus solution
that filters attachments by extension, and does real-time protection of both
servers and workstations and you have a very effective virus/worm/trojan
defense.

You can download the afore mentioned NSA guide directly here:
http://nsa2.www.conxion.com/emailexec/guides/eec-1.pdf
or browse through all the NSA guides at http://www.nsa.gov

> -----Original Message-----
> From: Blake Frantz [mailto:blakeat_private]
> Sent: Tuesday, May 21, 2002 5:45 PM
> To: incidentsat_private
> Subject: Worms and CScript/WScript
>
>
>
> Hello,
>
> A majority of the worms (even SQLsnake) that have been going around
> lately take advantage of cscript and wscript.  What
> ramifications would
> be felt on vanilla installs of common services (MS SQL, Exchange, IIS,
> etc.) if these two files were moved or deleted?  It seems
> like a fairly
> easy way to help mitigate the 'success' of Internet worms.  Any
> thoughts?
>
> Blake Frantz  A+, CNA, CCNA, MCSE
> Network Security Analyst
> mc.net
> 720 Industrial Drive #121
> Cary, IL 60013
> phn: (847)-594-5111 x5734
> fax: (847)-639-0097
> mailto:blakeat_private
> http://www.mc.net
>
>
>
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Nick FitzGerald: "RE: Worms and CScript/WScript"
Previous message: verbalat_private: "RE: Worms and CScript/WScript"
In reply to: Blake Frantz: "Worms and CScript/WScript"
Next in thread: Nick FitzGerald: "RE: Worms and CScript/WScript"
Next in thread: Ken Pfeil: "RE: Strange scan on 1433"
Reply: Nick FitzGerald: "RE: Worms and CScript/WScript"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 21 2002 - 21:00:54 PDT